[WIP] add --keyring-provider flag
#2592
Conversation
tdyas
changed the title
--with-extra-pip-arg flag--with-extra-pip-arg flag
|
The "./dtox.sh -e py38-pip22_3_1-integration --shard 2/2" shard failure is bitrot from 11/11 addressed here: #2595 |
With |
| @@ -415,16 +415,21 @@ def test_keyring_provider( | |||
| download_dir = os.path.join(str(tmpdir), "downloads") | |||
| assert not os.path.exists(download_dir) | |||
|
|
|||
| with ENV.patch(PIP_KEYCHAIN_PROVIDER="invalid") as env, environment_as(**env): | |||
| assert "invalid" == os.environ["PIP_KEYCHAIN_PROVIDER"] | |||
| with ENV.patch(PIP_KEYRING_PROVIDER="invalid") as env, environment_as(**env): | |||
There was a problem hiding this comment.
I'm not sure if you've seen /home/jsirois/dev/pex-tool/pex/tests/integration/test_keyring_support.py, but its probably what you eventually want to amend to test the "import" + --extra-pip-requirement and "subprocess" + PATH means of hooking the keyring provider.
There was a problem hiding this comment.
Couldn't I just update that test to use the new --keyring-provider option instead of the existing --use-pip-config option? (Or paramterize the test to try both methods?)
There was a problem hiding this comment.
~the latter is exactly what I was suggesting, yes.
There was a problem hiding this comment.
Hopefully you've noticed though how tortured the very concept of a keyring provider is. There is a nasty bootstrap problem for any locked down org.
There was a problem hiding this comment.
Yeah, the whole shebang is a marvelous house of cards. The work in Pants using this support focuses on --keyring-provider=subprocess with a trampoline keyring script so Pants won't need to bootstrap keyring PyPi at all.
There was a problem hiding this comment.
Updated the integration test to test the option.
Weird failure with https://github.com/pex-tool/pex/actions/runs/11918318085/job/33215488401#step:5:5425 since the test should not have tried to execute with a Pip that does not support the option. Any thoughts?
There was a problem hiding this comment.
Absolutely. I'll hint you 1st: how do you think Pex implements --pip-version any-not-vendored-version?
There was a problem hiding this comment.
The answer to that is fairly obvious and I'm sure you've already forehead smacked. That said, solving is thornier. I already had to deal with how to bootstrap --pip-version any-not-vendored-version here:
Lines 290 to 305 in 3361e79
The context there is using a new enough Python (3.12+) where distutils is gone from the stdlib and vendored Pip fails as a result. In that situation I had to find another way to bootstrap a specific Pip version without using vendored Pip. So, basically, iff using the current python to python -mvenv nets a venv with a Pip new enough to support --keyring-provider, the thorny bootstrap can be just the thorny problem you described, solved with --keyring-provider subprocess and some pre-arranged provider on the PATH. If not, you have an even thornier bootstrap problem than you expected.
tdyas
changed the title
--with-extra-pip-arg flag--keyring-provider flag
Add a
--keyring-providerflag to allow Pex callers to configure Pip to use a keyring provider without the need to loosen the Pip isolated mode entirely as would be done if--use-pip-configwere passed.